1. Home
    2. > Investors > Corporate Governance > Dabur Corporate Related Policies and Documents

Risk Management Policy

View PDF

1. Objective and Scope:-

As a global player, Dabur India Limited (“Dabur” or “Company”) perceives and regularly monitors several risks that could impact its business.

The Company operates in an environment that’s highly Volatile, Uncertain, Complex and filled with Ambiguity (VUCA), where effective risk management is key success factor for realizing strategic objectives. Risk Management takes place in many different processes and operations throughout the Company to ensure the long-term resilience of the business. The Company closely monitors a wide range of potential risks and opportunities including those that arise from Political, Economic & Regulatory environment, Exchange Rate fluctuations, Technology changes, Environment and Climate Change, Pandemic and Competition.

The objective of this policy is to inculcate a culture of risk identification and risk management governance within the Company across all department/units in their day to day functioning and accordingly it lays down the

  1. Process for Identification and Mitigation of Risks and

  2. Framework and structure for Risk Governance and

  3. Roles and Responsibilities of various stakeholders within the organization.

2. Applicability:-

This Policy is applicable across all functions in the Company.

3. Regulatory Requirements:-

As per section 177(4)(vii) of the Companies Act 2013, every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include, evaluation of internal financial controls and risk management systems.

As per section 134(3) of the Companies Act 2013, a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk if any which in the opinion of the Board may threaten the existence of the company shall be attached to the financial statements laid before a Company in its general meeting by the Board of Directors.

Further as per SEBI (Listing Obligation and Disclosure Requirements) Regulations 2015, every listed Company is required to define Risk Management Policy covering the framework for management of key business risks. The Board, Audit Committee and Risk Management Committee is responsible to ensure that the Company has a robust Risk management framework and monitor its effectiveness on periodic basis.

4. Risk Management Framework:-

The following diagram depicts the pillars of Risk Management Framework and flow of risk information from bottom to top covering people from Process Owners to Board.

**Risks received from units & zonal offices will be confirmed by concerned process owners in corporate office.

5. Risk Management Committee:-

S# Name Role
1 Mrs. Satyavati Berera Chairman
2 Mr. Mohit Burman Member
3 Mr. Amit Burman Member
4 Mr. P D Narang Member
5 Mr. Mohit Malhotra Member
6 Mr. Ankush Jain Member & Joint Chief Risk Officer
7 Mr. A K Jain Member & Joint Chief Risk Officer

 

**Note: Mr. Girraj Bansal (Head-IA) - Convener and Coordinator for the committee

6. Roles & Responsibilities:-

Level Roles & Responsibilities
Board of Directors
  • Overall responsibility of Risk Management
  • Determine Strategic Approach to Risk reviewing effectiveness of the Management System
Audit Committee
  • Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include evaluation of internal financial controls and risk management systems.
Risk Management Committee
  • To formulate a detailed risk management policy which shall include:
    1. A framework for identification of internal and external risks specifically faced by the listed entity, in particular including financial, operational, sectoral, sustainability (particularly, ESG related risks), information, cyber security risks or any other risk as may be determined by the Committee.
    2. Measures for risk mitigation including systems and processes for internal control of identified risks.
    3. Business continuity plan.
  • To ensure that appropriate methodology, processes and systems are in place to monitor and evaluate risks associated with the business of the Company
  • To monitor and oversee implementation of the risk management policy, including evaluating the adequacy of risk management systems
  • To periodically review the risk management policy, at least once in two years, considering the changing industry dynamics and evolving complexity
  • To get Risk Management Systems evaluated by the Audit Committee once in a year
  • To keep the Board of Directors informed about the nature and content of its discussions, recommendations and actions to be taken;
    1. To update Risk Register on quarterly basis
    2. To report key changes in critical risks to the Board on quarterly basis
    3. To report all critical risks to the Board in detail on yearly basis
  • The appointment, removal and terms of remuneration of the Chief Risk Officer (if any) shall be subject to review by the Risk Management Committee.
  • To perform such other functions as may be prescribed by the Board of Directors
Management Committee
  • Ensure adherence to risk management policies and procedures
  • Implementing prescribed risk mitigation actions
  • Reporting risk events and incidents in a timely manner
  • Ensuring that the Key Risk Indicators or triggers are embedded into business plans, and monitored as a part of the quarterly business reviews
Chief Risk Officers
  • Formulating and deploying Risk Management policies and procedures
  • Providing updates to Management Committee and the Board from time-to-time on the enterprise risks and actions taken
Risk Coordinator
  • Facilitating execution of Risk Management practices in the organisation
  • Working closely with business units, business enabling functions and mitigation action owners in deploying mitigation measures and monitoring their effectiveness
  • Working with cross-functional teams for identifying, monitoring, and mitigating operational risks
  • Providing periodic updates to the CRO and quarterly updates to the Management Committee on risks to key business objectives and their mitigation
Zonal & Unit Heads and Process Owners
  • Ensuring units and zones are managed in accordance with the Company’s risk management practices
  • Ensuring compliance with risk management policies and procedures
  • Ensuring effectiveness of risk mitigation actions
  • Reporting risk events and incidents relating to their units and divisions in a timely manner

7. Risk Identification:-

Each unit, business division and functional department is responsible for identifying the probable risks in their areas of operation, which is then escalated to the management level. The Risk Coordinator coordinates with all corporate functions, units and zonal offices, seeking updation of existing risks as well as identification of new, emerging risks in their respective areas.

I. Risk Register :-

Risk Registers are categorized into Critical and Non Critical. High and Medium Risk forms part of Critical Risk Register. Low Risk forms part of Non Critical Risk Register.

Risk Variable Scale Assessment basis Likelihood and Impact are pre-defined and approved by the Risk Management Committee.

Risk categorization basis aforesaid Scale Assessment are mapped in Heat MAP (i.e. basis criticality).

Internal audit scope is aligned with the Risk Register.

Risk register shall be maintained in Digital Form and be periodically digitally signed by Chief Risk Officer and CEO. Periodicity should be minimum once in a year or whenever there is change in Risks, whichever is earlier

ii. Risk Register Updation:-

Risk Register is updated on Quarterly basis in the following manner: -

    • Internal Audit Dept. coordinates with all functions, Units, Zonal Offices seeking updation in existing Risk as well as for new risk emerged in their respective areas if any.

    • New risk received from Units and Zonal Offices if any are confirmed by concerned process owners at Corporate Office.

    • All updates received from respective process owners including Mitigation plan are updated in draft Risk Register by Internal Audit Department and discussed internally in presence of Chief Risk Officers for their inputs before presentation to MANCOM.

    • Inputs based on internal discussion are incorporated in the draft Risk Register before presentation to MANCOM and post Presentation to MANCOM, inputs suggested by MANCOM are also updated in the draft Risk Register.

    • Post incorporation, these changes are again discussed internally with Chief Risk Officers for their review and then presentation is circulated to the Risk Management Committee as part of committee agenda papers. Post confirmation by Risk Management Committee, the Risks are updated in the Risk Register.

8. Risk Reporting:-

Risk Management Presentation is made to the MANCOM and Risk Management Committee at quarterly frequency.

  • An annual updated Risk Management Presentation shall be made to the Board once in a year.

  • Key Changes in the Risks ( ie addition of new Risk or removal of a mitigated risk) shall be updated to board on quarterly basis

  • Risk Management Systems shall be presented to the Audit Committee once in a year for their evaluation

9. Basis of Risk Variable Scale Assessment:- 

    • 2 Variables - Likelihood and Business Impact

    • 3 Scale - Low, Moderate and High

    • 3 * 3 Matrix

    • Likelihood Assessment (i.e. probability of occurrence of risk is)

      • Low </= 30% chance of happening

      • Moderate > 30% but less than < 50% chance of happening

      • High >/= 50% chance of happening

    • Impact Quantification

      • Low </= 5 crore INR

      • Moderate > 5 crore INR less than or equal to 25 crore INR

      • High > 25 crore INR

Example of Critical Risk Matrix

10. Business Continuity Plan:- 

A detailed business continuity plan exercise shall be undertaken periodically with an objective to ensure in case of any evantuality of High Risk Nature, they are addressed immediately within 24 hours with no disruption in the business including Production and Sales and related financial transaction processing

Mancom shall be the Crisis Management Team for the purpose and can invite internal or external persons to plan and implement mitigation action plan.

Mitigation Plan

In case of occurrence of an event leading to particular plant shutdown, alternative arrangements should be made at another plant or at Third party manufacturing location immediately without any loss of Production/Sales.

In case of critical IT application disaster or cyber attack, mitigation action should be implemented immediately within the defined time limits to restore the impacted application or an alternative application or the same application from an alternative place.

The Business Continuity Plan should be tested for its effectiveness at periodical intervals not exceeding three years to ensure company is well prepared to manage any crisis event and ensure Business Continuity.